[dunfell,02/14] openssh: Fix CVE-2021-41617

From: sana kazi <sanakazisk19@gmail.com>

Add patch to fix CVE-2021-41617
Link: https://bugzilla.suse.com/attachment.cgi?id=854015

Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssh/openssh/CVE-2021-41617.patch      | 52 +++++++++++++++++++
 .../openssh/openssh_8.2p1.bb                  |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch

On 12/22/21 15:12, Steve Sakoman wrote:
> From: sana kazi <sanakazisk19@gmail.com>
> 
> Add patch to fix CVE-2021-41617
> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
> 
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../openssh/openssh/CVE-2021-41617.patch      | 52 +++++++++++++++++++
>  .../openssh/openssh_8.2p1.bb                  |  1 +
>  2 files changed, 53 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> new file mode 100644
> index 0000000000..bda896f581
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> @@ -0,0 +1,52 @@
> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
> +From: Ali Abdallah <aabdallah@suse.de>
> +Date: Wed, 24 Nov 2021 13:33:39 +0100
> +Subject: [PATCH] CVE-2021-41617 fix
> +
> +backport of the following two upstream commits
> +
> +f3cbe43e28fe71427d41cfe3a17125b972710455
> +bf944e3794eff5413f2df1ef37cddf96918c6bde
> +
> +CVE-2021-41617 failed to correctly initialise supplemental groups
> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> +directive has been set to run the command as a different user. Instead
> +these commands would inherit the groups that sshd(8) was started with.
> +---
> + auth.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +CVE: CVE-2021-41617
> +Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
> +Comment: No change in any hunk
> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> +
> +diff --git a/auth.c b/auth.c
> +index 163038f..a47b267 100644
> +--- a/auth.c
> ++++ b/auth.c
> +@@ -52,6 +52,7 @@
> + #include <limits.h>
> + #include <netdb.h>
> + #include <time.h>
> ++#include <grp.h>
> + 
> + #include "xmalloc.h"
> + #include "match.h"
> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
> + 		}
> + 		closefrom(STDERR_FILENO + 1);
> + 
> ++		if (geteuid() == 0 &&
> ++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
> ++			error("%s: initgroups(%s, %u): %s", tag,
> ++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
> ++			_exit(1);
> ++		}
> ++
> + 		/* Don't use permanently_set_uid() here to avoid fatal() */
> + 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
> + 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
> +-- 
> +2.26.2
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> index b60d1a6bd4..e903ec487d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://add-test-support-for-busybox.patch \
>             file://CVE-2020-14145.patch \
>             file://CVE-2021-28041.patch \
> +           file://CVE-2021-41617.patch \
>             "
>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
>  SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#159947): https://lists.openembedded.org/g/openembedded-core/message/159947
> Mute This Topic: https://lists.openembedded.org/mt/87898179/4454410
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jacob.kroon@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

I would have expected this patch to leave a mark in my buildhistory, but
nothing related to openssh(d) shows up.

Size of /usr/sbin/sshd stays the same, which at least to me is a little
odd.. but I can see that the sha256sum output of sshd changes.

(It would be nice to have sha256sum hashes of files in buildhistory)

Am I the only one who thinks this is a little strange ?

/Jacob

On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote:
> On 12/22/21 15:12, Steve Sakoman wrote:
>> From: sana kazi <sanakazisk19@gmail.com>
>>
>> Add patch to fix CVE-2021-41617
>> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
>>
>> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
>> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>> ---
>>  .../openssh/openssh/CVE-2021-41617.patch      | 52 +++++++++++++++++++
>>  .../openssh/openssh_8.2p1.bb                  |  1 +
>>  2 files changed, 53 insertions(+)
>>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
>> new file mode 100644
>> index 0000000000..bda896f581
>> --- /dev/null
>> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
>> @@ -0,0 +1,52 @@
>> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
>> +From: Ali Abdallah <aabdallah@suse.de>
>> +Date: Wed, 24 Nov 2021 13:33:39 +0100
>> +Subject: [PATCH] CVE-2021-41617 fix
>> +
>> +backport of the following two upstream commits
>> +
>> +f3cbe43e28fe71427d41cfe3a17125b972710455
>> +bf944e3794eff5413f2df1ef37cddf96918c6bde
>> +
>> +CVE-2021-41617 failed to correctly initialise supplemental groups
>> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
>> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
>> +directive has been set to run the command as a different user. Instead
>> +these commands would inherit the groups that sshd(8) was started with.
>> +---
>> + auth.c | 8 ++++++++
>> + 1 file changed, 8 insertions(+)
>> +
>> +CVE: CVE-2021-41617
>> +Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
>> +Comment: No change in any hunk
>> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
>> +
>> +diff --git a/auth.c b/auth.c
>> +index 163038f..a47b267 100644
>> +--- a/auth.c
>> ++++ b/auth.c
>> +@@ -52,6 +52,7 @@
>> + #include <limits.h>
>> + #include <netdb.h>
>> + #include <time.h>
>> ++#include <grp.h>
>> + 
>> + #include "xmalloc.h"
>> + #include "match.h"
>> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
>> + 		}
>> + 		closefrom(STDERR_FILENO + 1);
>> + 
>> ++		if (geteuid() == 0 &&
>> ++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
>> ++			error("%s: initgroups(%s, %u): %s", tag,
>> ++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
>> ++			_exit(1);
>> ++		}
>> ++
>> + 		/* Don't use permanently_set_uid() here to avoid fatal() */
>> + 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
>> + 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
>> +-- 
>> +2.26.2
>> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
>> index b60d1a6bd4..e903ec487d 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
>> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>>             file://add-test-support-for-busybox.patch \
>>             file://CVE-2020-14145.patch \
>>             file://CVE-2021-28041.patch \
>> +           file://CVE-2021-41617.patch \
>>             "
>>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
>>  SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
>>
>>
>>
>>
>>
> 
> I would have expected this patch to leave a mark in my buildhistory, but
> nothing related to openssh(d) shows up.
> 
> Size of /usr/sbin/sshd stays the same, which at least to me is a little
> odd.. but I can see that the sha256sum output of sshd changes.
> 
> (It would be nice to have sha256sum hashes of files in buildhistory)
> 
> Am I the only one who thinks this is a little strange ?
> 
> /Jacob
> 

Let me rephrase, I do see changes related to debug information and the
debug package, but no change in the resulting '/usr/sbin/sshd' size that
goes in the final image.

/Jacob

On Thu, Dec 30, 2021 at 9:04 AM Jacob Kroon <jacob.kroon@gmail.com> wrote:
>
> On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote:
> > On 12/22/21 15:12, Steve Sakoman wrote:
> >> From: sana kazi <sanakazisk19@gmail.com>
> >>
> >> Add patch to fix CVE-2021-41617
> >> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
> >>
> >> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >>  .../openssh/openssh/CVE-2021-41617.patch      | 52 +++++++++++++++++++
> >>  .../openssh/openssh_8.2p1.bb                  |  1 +
> >>  2 files changed, 53 insertions(+)
> >>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >>
> >> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> new file mode 100644
> >> index 0000000000..bda896f581
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> @@ -0,0 +1,52 @@
> >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
> >> +From: Ali Abdallah <aabdallah@suse.de>
> >> +Date: Wed, 24 Nov 2021 13:33:39 +0100
> >> +Subject: [PATCH] CVE-2021-41617 fix
> >> +
> >> +backport of the following two upstream commits
> >> +
> >> +f3cbe43e28fe71427d41cfe3a17125b972710455
> >> +bf944e3794eff5413f2df1ef37cddf96918c6bde
> >> +
> >> +CVE-2021-41617 failed to correctly initialise supplemental groups
> >> +when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
> >> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> >> +directive has been set to run the command as a different user. Instead
> >> +these commands would inherit the groups that sshd(8) was started with.
> >> +---
> >> + auth.c | 8 ++++++++
> >> + 1 file changed, 8 insertions(+)
> >> +
> >> +CVE: CVE-2021-41617
> >> +Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
> >> +Comment: No change in any hunk
> >> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> +
> >> +diff --git a/auth.c b/auth.c
> >> +index 163038f..a47b267 100644
> >> +--- a/auth.c
> >> ++++ b/auth.c
> >> +@@ -52,6 +52,7 @@
> >> + #include <limits.h>
> >> + #include <netdb.h>
> >> + #include <time.h>
> >> ++#include <grp.h>
> >> +
> >> + #include "xmalloc.h"
> >> + #include "match.h"
> >> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
> >> +            }
> >> +            closefrom(STDERR_FILENO + 1);
> >> +
> >> ++           if (geteuid() == 0 &&
> >> ++               initgroups(pw->pw_name, pw->pw_gid) == -1) {
> >> ++                   error("%s: initgroups(%s, %u): %s", tag,
> >> ++                       pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
> >> ++                   _exit(1);
> >> ++           }
> >> ++
> >> +            /* Don't use permanently_set_uid() here to avoid fatal() */
> >> +            if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
> >> +                    error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
> >> +--
> >> +2.26.2
> >> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> index b60d1a6bd4..e903ec487d 100644
> >> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> @@ -26,6 +26,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> >>             file://add-test-support-for-busybox.patch \
> >>             file://CVE-2020-14145.patch \
> >>             file://CVE-2021-28041.patch \
> >> +           file://CVE-2021-41617.patch \
> >>             "
> >>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> >>  SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> >>
> >>
> >>
> >>
> >>
> >
> > I would have expected this patch to leave a mark in my buildhistory, but
> > nothing related to openssh(d) shows up.
> >
> > Size of /usr/sbin/sshd stays the same, which at least to me is a little
> > odd.. but I can see that the sha256sum output of sshd changes.
> >
> > (It would be nice to have sha256sum hashes of files in buildhistory)
> >
> > Am I the only one who thinks this is a little strange ?
> >
> > /Jacob
> >
>
> Let me rephrase, I do see changes related to debug information and the
> debug package, but no change in the resulting '/usr/sbin/sshd' size that
> goes in the final image.

Yes, it is unusual that the size of sshd is the same pre and post patch.

I checked the size of auth.o pre and post patch, and it is also the
same (not surprisingly!)

However I've verified that the patch modifies auth.c as desired, and
the md5sums for both auth.o and ssshd are different pre and post patch
(as expected)

So this is just one of those cases where different code results in the
same size!

Steve

On Thu, 30 Dec 2021, 21:17 Steve Sakoman, <steve@sakoman.com> wrote:

On Thu, Dec 30, 2021 at 9:04 AM Jacob Kroon <jacob.kroon@gmail.com> wrote:
>
> On 12/30/21 19:54, Jacob Kroon via lists.openembedded.org wrote:
> > On 12/22/21 15:12, Steve Sakoman wrote:
> >> From: sana kazi <sanakazisk19@gmail.com>
> >>
> >> Add patch to fix CVE-2021-41617
> >> Link: https://bugzilla.suse.com/attachment.cgi?id=854015
> >>
> >> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >>  .../openssh/openssh/CVE-2021-41617.patch      | 52 +++++++++++++++++++
> >>  .../openssh/openssh_8.2p1.bb                  |  1 +
> >>  2 files changed, 53 insertions(+)
> >>  create mode 100644
meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >>
> >> diff --git
a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> new file mode 100644
> >> index 0000000000..bda896f581
> >> --- /dev/null
> >> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
> >> @@ -0,0 +1,52 @@
> >> +From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
> >> +From: Ali Abdallah <aabdallah@suse.de>
> >> +Date: Wed, 24 Nov 2021 13:33:39 +0100
> >> +Subject: [PATCH] CVE-2021-41617 fix
> >> +
> >> +backport of the following two upstream commits
> >> +
> >> +f3cbe43e28fe71427d41cfe3a17125b972710455
> >> +bf944e3794eff5413f2df1ef37cddf96918c6bde
> >> +
> >> +CVE-2021-41617 failed to correctly initialise supplemental groups
> >> +when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand,
> >> +where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
> >> +directive has been set to run the command as a different user. Instead
> >> +these commands would inherit the groups that sshd(8) was started with.
> >> +---
> >> + auth.c | 8 ++++++++
> >> + 1 file changed, 8 insertions(+)
> >> +
> >> +CVE: CVE-2021-41617
> >> +Upstream-Status: Backport [
https://bugzilla.suse.com/attachment.cgi?id=854015]
> >> +Comment: No change in any hunk
> >> +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> >> +
> >> +diff --git a/auth.c b/auth.c
> >> +index 163038f..a47b267 100644
> >> +--- a/auth.c
> >> ++++ b/auth.c
> >> +@@ -52,6 +52,7 @@
> >> + #include <limits.h>
> >> + #include <netdb.h>
> >> + #include <time.h>
> >> ++#include <grp.h>
> >> +
> >> + #include "xmalloc.h"
> >> + #include "match.h"
> >> +@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw,
const char *command,
> >> +            }
> >> +            closefrom(STDERR_FILENO + 1);
> >> +
> >> ++           if (geteuid() == 0 &&
> >> ++               initgroups(pw->pw_name, pw->pw_gid) == -1) {
> >> ++                   error("%s: initgroups(%s, %u): %s", tag,
> >> ++                       pw->pw_name, (u_int)pw->pw_gid,
strerror(errno));
> >> ++                   _exit(1);
> >> ++           }
> >> ++
> >> +            /* Don't use permanently_set_uid() here to avoid fatal()
*/
> >> +            if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
> >> +                    error("%s: setresgid %u: %s", tag,
(u_int)pw->pw_gid,
> >> +--
> >> +2.26.2
> >> diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
 b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> index b60d1a6bd4..e903ec487d 100644
> >> --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
> >> @@ -26,6 +26,7 @@ SRC_URI = "
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> >>             file://add-test-support-for-busybox.patch \
> >>             file://CVE-2020-14145.patch \
> >>             file://CVE-2021-28041.patch \
> >> +           file://CVE-2021-41617.patch \
> >>             "
> >>  SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
> >>  SRC_URI[sha256sum] =
"43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
> >>
> >>
> >>
> >>
> >>
> >
> > I would have expected this patch to leave a mark in my buildhistory, but
> > nothing related to openssh(d) shows up.
> >
> > Size of /usr/sbin/sshd stays the same, which at least to me is a little
> > odd.. but I can see that the sha256sum output of sshd changes.
> >
> > (It would be nice to have sha256sum hashes of files in buildhistory)
> >
> > Am I the only one who thinks this is a little strange ?
> >
> > /Jacob
> >
>
> Let me rephrase, I do see changes related to debug information and the
> debug package, but no change in the resulting '/usr/sbin/sshd' size that
> goes in the final image.

Yes, it is unusual that the size of sshd is the same pre and post patch.

I checked the size of auth.o pre and post patch, and it is also the
same (not surprisingly!)

However I've verified that the patch modifies auth.c as desired, and
the md5sums for both auth.o and ssshd are different pre and post patch
(as expected)

So this is just one of those cases where different code results in the
same size!

Steve


Thanks for double checking.
/Jacob